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Agenda 

>The Cloud Security Information Fountain 

> The Payment Card Industry Data Security Standard 

> PCI + Virtualisation 

> PCI + Private/Virtual-Private/Dedicated Clouds 

> PCI + Public Clouds - "PCI" and non-PCI compliant 

> Cloud Security Alliance - Australia Chapter 
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Note! 

> 1 AM a PCI QSA. 

> If 1 am NOT YOUR QSA then the contents of this 
presentation can NOT be taken as PCI advice. 

> YOU must consult with YOUR QSA to determine the 
relative merits of YOUR particular situation to 
determine sufficient controls to ensure compliance. 


1 BRIDGE POINT 1 
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QSA's really are assessed too... 

Q What is the Council announcing? 

A Effective immediately, the Council is announcing the revocation o/| ^status as a Council 
Qualified Security Assessor (QSA) and Payment-Application Qualified Security Assessor (PA 
QSA). 

Q When is this revocation effective? 

A This revocation is effective immediately, August 03, 201 1 

Q Why is this revocation happening? 

A ^status as QSA and PA-QSA is being revoked due to the company's failure to meet the 

high standards demanded of QSAs and PA-QSAs. 
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Cloud 






= Hot Topic 




Cloud security current research 




*„****•"*** ** c^ 






g^. t*!*^ 



__„««¥ an*"*"^ 



in 






^T^-^ | iJf^wH^ i n rt I »F 



■ _m B _ i. m 



>* 










^%X 






Li 



PUBLIC -©2012 Bridge Point Communications 



Page 3 



Dr David Ross: Moving Credit Card Data into The Cloud 
David_Ross@bridgepoint.com.au 



Payment Cards are also a hot topic 

> Jun 2005 CardSystems Solutions -40 million cards 

> Jan 2007 TJX Companies Inc. up to 90 million cards 

> Jan 2009 Heartland Payment Systems -130M cards 

> May 201 1 Citigroup -360,000 cards 

> . . .then 8 weeks ago. . . 




Payment Cards are also a hot topic 



globalpayments 




kpn 
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PCI Security Standards Council 



©2011 PCI Security 
Standards Council™ 




PCI Data Security Standard 

> "PCI DSS" Version 2.0 (October 2010) 

> 12 High-level requirements: 



Build and Maintain a 
Secure Network 



1. Install and maintain a lire wail can figuration to prelect cardholder data 

2 r Do not use vendor-supplied defaults- for system passwords and olher 

security parameters 



Protect Cardholder Data 



3, Protect slored cardholder data 

4. Encrypt transmission of cardholder data across open, public networks 



Maintain a Vulnerability 
Management Program 



S. Use and regularly update ami -virus software or programs 
G_ Develop and maintain secure systems and applications 



Implement Strong Access 
Control Measures 



7, Restrid access to cardholder data by business need tc know 
8i Assign a unique ID to each person with computer access 
9. Restrict physical access to cardholder data 



Regularly Monitor and 
Tesi Networks 



1 0, Track and monitor all access to nelwork resources and cardholder dala 

11 , Regularly test security systems and processes. 



Maintain an Information 
Security Policy 



12, Maintain a policy that addresses irrformahon security lor all personnel. 
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PCI DSS and Assessments 

> Highly prescriptive 

> 12 High-level requirements 

> 198 Detailed requirements (194 if not hosting provider) 

> 297 Audit Test Procedures (289 if not hosting provider) 
>1063 (1004) Items of Evidence to be reported in ROC 


I BRIDGE POINT I 
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For example... 












PCI DSS Requirements 


Testing Procedures 




Requirement 1: Install and maintain a firewall configuration to protect cardh 


1.1 Establish firewall and router 
configuration standards that include the 
following: 


1.1 Obtain and inspect the firewall and router 
configuration standards and other 
documentation specified below to verily that 
standards are complete. Complete the 
following: 




1.1.1 A formal process for approving 

and testing all network connections 
and changes to the firewall and router 
configurations 


1.1.1 Verily that there is a formal process 
for testing and approval of all network 
connections and changes to firewall and 
router configurations 


* Identify 

[. Tc 

if. Af 

Hi. Te 

iv. Af 
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Some ha\ 


re multiple test procedures 




P C i CSS Ro-quiremonts- 


Tasting Procedures 


Hi)( Hi b |H>niii|t ih'i.iils 
(Fo* In-PI-actr Requirern«riL>] 


2.1.1 r« wireless ftfYiftfoimwits 
connected to lhc canHoHcf da'a 


S.1.1 Venly [he TaUnwng neepfdinn, vendor 
default scttngs Tor wrc-fcss environment: 




cnvrartKnL w IraramiUiig ciidhokJcr 
(It ,3. cfrmge Mrtn*tess vendor deraurls. 
induing nul not Imrtftd to rtenult 
wiN5k."Ki ericTypCixi H4.yi. piiwwwUs, 
iirvi fiWMP community sUmga 


£.1.1 .a V«*ty wnwypbufi fccya wwu 
ehnngeo from dettutl .-h nRLillahnn. Jind 
jru dinged jti>-".hsh_* a\v,wu with 
Kiienludgi; u r Irw fety-i leaves Bra «*npany 
w changes pmrtrana 


< 1 2e:-i- fy the document requlrins that wireless encryption keys must be chan 
i. from dff .rule ,it in iCill.-kt lun 

li. Anytime anyone wilt* knnnwledpj el lie kuyt Il-jvli (In; dfgjnifutiun o 
■ Wentffy the responsible personnel Iniervlewed wno *onr rm the document* 
ehinjjiig keys are Followed: 
p. At installation 

IL Anytime anyone with knowledge of ite Keys leaves (He organization o 
* : ■-. t ■ ibv 1 dw uUl t »vcd wii d^i t in- 1 y j- j: in- 1 t in- ! ■ rr LI u ', *<v ■: 1- j-«gL-, j- 1 
required, 


2.1.1 b verify decy $NfrE commonly 
smngs on wtnelesR d*uees were etarcjed 


■ 1 :Nti1i fy [hi 1 dncumral rrquir m& 1 h;i1 il i L T.iuh \IMMF c nmm u mEy Mi inp mu'.l 
* j< .-. • Ul- 1 d w obi l ■ ■/'.-.- v.- 1 eleL-i i in- ! (j .■ ■ j". u ■ i ■: d - ' ■ n LI i j L del Jul I '■■ '- '■ 1 
■re changed. 


a.i.i.evertyd*r.TLirr 

passrafdss'passpftcascs on access parts 
wens changed 


■ 1 :Ihti"i fy [hi 1 documi'ii 1 rrquir ing. 1 h.il it i-f.iuh imv-vjck :l ■■/p.i'.-.phr-v.i'-, an .ice 
changed. 

■ U«c r.b* how ab wv»ri wir*»liK^ c onf i0jhE jom confirm thjjrt: d*f su\\ P a « wo 
eharu;ed. 


2.1.1.0 Yfcnry nmwarc: on wircHLTS dLMtft 

is updated Id suppul itfiwig encnypfjon Hi 
■juiJK'iilKdLiun and Uunsnxsvjon uvlh 


■ ij^ri-i ly (he dvcumen L requir ng th jI 1 irmwjre on w < i dcu devices <nu:,L be 
itrenj encryption 'or : 



And many items of evidence each... 



Reporting Methodol 



ROC Reporting Details 

(For In- PI ace Requirements) 



Identify whether any insecure services, protocols or ports are allowed. 
For each insecure service, protocol and port allowed: 



Identify the documented justification. 

Identify the responsible personnel i nterviewed who confirm that each insecure 

service/proto col/port is necessary. 

Identify the firewall and router configuration standards which define the security features 

requi red for each insecure service/proto col/port. 

Describe how observed firewall configurations verify the security features are 

implemented. 

Describe how observed router configurations verify the security features are implemented. 




• Identify the fi rewall configuration standards that require a review of firewall rule sets at least 

every six months. 
_t Irlpntifv the mi itpr rnnfim i rat inn standards that rpni lirp a revipw nf mi ifpr n iIp spfs at lea^t 
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Little in print on PCI in the Cloud 



'•■•**lM I' <Ouni J 



yggi 



Security ■ 

Standard j Council 



Payment Card Industry (PCI) 
Data Security Standard 




Requirements and Security Assessme 









t 1 **" owe 2011 



Information Supplement: 

PCI dss VimiaiLzation Guidelines 



Except for vendors... 

What Amazon Web Services product offerings suppoj^ 
transmission of credit card data? 



Services that support the processing, stor. 
provider have been validated as being comi 

Amazon Elastic Compute Cloud (EC2^ 
Amazon Simple Storage Service (S3) 
Amazon Elastic Block Storage (EBS) 
Amazon Virtual Private Cloud (VPC) 
Amazon Relational Database Service (RD: 
Amazon Elastic Load Balancing (ELB) 
Amazon Identity and Access Management ( 
The underlying physical infrastructure and tl 

What does this mean to me as a PCI 

Our PCI Service Provider status means that customer! 
cardholder data can rely on our PCI compliance validat 
own compliance and certification, including PCI audits a 
covers all requirements as defined by PCI DSS for physii 
cardholder environment to AWS can simplify your own Pi 
status. If your QSA currently needs additional supporting 

What does this mean to me as a non-PCI 
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Cloud £ Insecure 




estinations.org/europe-qermany-neuschwanstein-castle-bavaria-clowds-2.html 
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NASA uses Cloud for Crowd SourcincJ 

(Tom Soderstrom's slides. JPLV^nh 




-*- 



amazon 

web services 



S> _ ■ W _ ■ i3 



I II '. 

Elastic Load 
U Balancing 

1 



Simple OB 



^c I i pi 



eca eci eo 




Open Social Gadgets 



By Tom Soderstrom, IT CTO, 
Jet Propulsion Laboratory, 
California I nstitute of Tech. 
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Many willingly be part of the Matrix 




PCI recognises Cloud 

> But NOT in the PCI DSS (Data Security Standard) 

> "cloud" does not appear in the 75 pages of the DSS 

> "virtualisation" appears twice: 

□ "System components" includes virtualisation components 
such as VMs, virtual switches/routers, VAs, VSAs/SVAs, 
virtual applications, VDI, and hypervisors; and 

□ Requirement 2.2.1 : Implement only one primary function per 
virtual system component. 
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PCI DSS Virtualization Guidelines 

> Virtualization Special Interest Group (SIG) 

> June 2011 
PCI DSS v2.0 Information Supplement: 
PCI DSS Virtualization Gu idelines 




Area of Responsibility 



Type of Cloud Service 



Data 

Software, user applications 

Operating systems, databases 

Virtual infrastructure (hypervisor, virtual appliances, VMs, virtual networks etc) 

Computer and network hardware (processor, memory, storage, cabling, etc.) 

Dda center (physical facility) 



-^ 



Let's start with a reference example 

> (A "real") company "ABC" 's network connections: 



,; | |V ■ -___ Call Cpaih* - 




rite met 
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PCI is more than just "IP" security 

> "ABC's" real network connections : 
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Company "ABC" pre-PCI-Compliance 



ACqurrfcfi 




VVOtiServiifl 



£a>rrirri*rcel 

h.iii 1 1 it> i '■■■.' 



TVii»ljittel 
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*stff \f* ^ : fW %W ^tf 
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Scope of Assessment _____^3flB____l 

> The cardholder data environment is comprised of 
people, processes, facilities and technology, that 
store, process, or transmit cardholder data. 

> PCI DSS applies to all system components 

> "system components" is any network component, 
server, or app that is included in or connected to CDE 

> includes virtualisation components such as VMs, VAs, 
VSAs,Vswitches/routers,VDI,hypervisors & consoles 
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Scope - not many POS terminals 
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Scope - plus hosts & printers 





Scope - plus supporting services 
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Scope - plus ANY connected subnet 







PCI DSS is a prescriptive standard 

> 1.1.3 Require a firewall at each Internet connection and 
between any DMZ and the internal network zone 

M.2.3 Install perimeter firewalls between any wireless 
networks and the cardholder data environment 

M.3.2 Limit inbound Internet traffic to IPaddr within DMZ 

M.3.3 Do not allow direct connections inbound or outbou 

> 1.3.7 Place components that store CHD (files or DBs) in 
an internal network segregated from DMZs 
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"ABC" Post-PCI (two years ago): 
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Then they went virtual... 
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Many QSAs declared virtualised 
environments non-compliant 

^ 1-3.7 Place systems store CHD segregated from DMZs 

^ 2.2.1 Implement only one primary function per server 

^ 2.4 Hosting providers must prot each entity's env&CHD 

^ 6.4.1 Separate development/test and production env's 

^11-4 Use IDS or IPS to monitor ALL traffic at the 
perimeter of theCDE as well as at critical points inside 




Cloud was even harder... ^5HI 

> All the above plus more 

> 5.2 Ensure that all anti-virus mechanisms are current, 
actively running, and generating audit logs 

> 6.1 Install critical patches within one month of release 

> 6.4.5.4 Back-out procedures in change control 

> 6.6 Public-facing web applications: annual application 
vulnerability security assessment or install a WAF 

7.1&7.2 Limit access to systems: RBAC & need-to-know 



UNCLASSIFIED 





Slide 34 



PUBLIC -©2012 Bridge Point Communications 



Page 1 7 



Dr David Ross: Moving Credit Card Data into The Cloud 
David_Ross@bridgepoint.com.au 



And public cloud had no chance... 

> 9.1 .3 Restrict physical access to gateways, devices, 
networking/communications hardware, and telecomms 

> 10.2 Implement automated audit trails for all component 

M1.2 Run internal & external vulnerability scans quarterly 

M1.3 Perform external & internal pen testing annually 

11.5 Deploy file-integrity monitoring for critical system 
files, configuration files, and content files 




If virtualisation is implemented, 

> All components within the virtual environment will 
need to be identified and considered in scope 

□ including individual virtual hosts or devices, 

□ management interfaces, 

□ central management consoles, 

□ hypervisors, and 

□ all intra-host and external communications and data flows. 





Slide 36 



PUBLIC -©2012 Bridge Point Communications 



Page 1 8 



Dr David Ross: Moving Credit Card Data into The Cloud 
David_Ross@bridgepoint.com.au 



"ABC" Post-PCI Pre-virtual CDE: 



CDE 
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How the Sysadmin Saw It: 




©201 
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How the Auditor Saw It: 




Hyp*rvi4Q' 
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Your hypervisor is NOT a firewall 

> A virtual firewall (VM or VSA/SVA) is fine 

> It can segment your virtual networks including your CDE 

> It can NOT protect the hypervisor it is running on 

> A hypervisor running any CDE guest is automatically CDE 

> No part of CDE may directly connect to untrusted netwrh 

> A hypervisor running any CDE guest VM or VA 
can NOT be directly connected to untrusted networks 

©2012 Bridge Point 
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Hypervisor attack surface 



Image Source: 

VMware (EMC) 

marketing material 




PUBLIC 



Back to our example: 
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And the Final Kicker: 
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VSIG: Mixed-Mode Environments 

> Strongly recommended (and a basic security principle) 

□ VMs of different security levels are not hosted on the same 
hypervisor or physical host 

□ concern VM with lower security could launch attack on others 



> This should also be applied if in-scope & out-of-scope 
virtual systems located on the same host or hyper 



visor. 
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PCI VSIG Cloud killer: _____^1_H____| 

> General rule: any VM or other virtual 
component that is hosted on same hardware 
or hypervisor as an in-scope component 
would also be in scope for PCI DSS, 

as both the hypervisor & underlying host provide 
a connection (either physical, logical, or both) 




VSIG Cloud Computing "catch-all" 

> Entities planning to use cloud computing for PCI 
should first ensure they thoroughly understand the 
details of the services offered, & perform a detailed 
assessment of the unique risks with each service. 

> ...it is crucial that the hosted entity and provider 
clearly document the responsibilities assigned to 
each party for maintaining PCI DSS requirements 
and controls that could impact the security of CHD. 
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NIST 

Cloud Computing 

Reference Architecture 



Version 1 



March 30, 2011 



Information Technology Laboratory Cloud Computing Program 



MIST 

National Institute at 
Standards an«d Technolugjr 
U.S. Depanmenl tif Cc-nmefts 



Three Cloud Service Models 

> Cloud Software as a Service (SaaS) 

> Cloud Platform as a Service (PaaS) 

> Cloud Infrastructure as a Service (laaS) 
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Four Cloud Deploym ent Mo dels 

> Private Cloud aM Sapos " 

yu watitem 
sitdaon yu 



> Community Cloud 

> Public Cloud 

> Hybrid Cloud 





mas pern wan 
smol samting 

INO 
PUBLIC 
SEATING 

HOS - 




BRIDGE POINT 



Slide 49 



PCI's version of Private Cloud 

> System components trusted & controlled by the entity 

> Owned by the entity or a third party 

> In facilities owned by the entity or a third party 

□ May be owned by a service provider and provisioned for 
dedicated use by a single customer 

> Irrespective of ownership, dedicated to a single entity 
and are not shared with any other customer or tenant 



UNCLASSIFIED 





Slide 50 



PUBLIC -©2012 Bridge Point Communications 



Page 25 



Dr David Ross: Moving Credit Card Data into The Cloud 
David_Ross@bridgepoint.com.au 



PCI's version of Public Cloud 

> Service-based access for multiple customers or 
tenants, to shared computing resources, 

the entity does not own or have control over 

> Components remaining under control of provider will 
vary according to type of service — laaS, PaaS, SaaS 

> Physical separation between tenants is not practical — 
by its very nature, resources are shared by everyone 




PCI's version of Hybrid Cloud 

> Combination of private & public cloud infrastructures 

> Public cloud or another entity's private cloud 

> Ownership & control of data and system components 
may be divided b/w three or more separate entities 

> Complex scope boundaries & defining responsibilities 
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higure3:NI_l t_ssenU_J Characteristics 



Wikia Inc., IT Law Wiki, Cloud computing 




Internet 

Broad network access 



On-demand self service 



3c ^'caz GAD. 



hrrn;//inrianps.wikia.rom/iriaw/inrinnes/7/7f/rioii(i c ).ina 



NIST Cloud Architecture 

Visual Model Of NIST Working Definition Of Cloud Computing 

h ttp://www. csrc. n ist. gov/g ro ups/SNS/cIatt d-compu tin g/in dex. h trn t 




Li 



Service (Saa.5) 



I BtWHilW^t^ 1 



Service (PaaS) 





Essentia f 
Characteristics 



Service 
Madets 



Deployment 
A tadeis 
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A°secutny Cloud Security Alliance 



alliance 



SECURITY GUIDANCE 

FOR CRITICAL AREAS 

OF FOCUS IN CLOUD 

COMPUTING V3.0 



CSA Australia meeting 12:35 THU 

cloud 

security 
'alliance 



SM 
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Reference Model 

> Cloud Software as a Service 
(SaaS) 

> Cloud Platform as a Service 
(PaaS) 

> Cloud Infrastructure as a 
Service (laaS) 




c 



■^r«rii. ufjii™ 



□ □□ 



Moving to The Cloud. 





NASA - Space Shuttle Rising (May 2011) 
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1. Have Someone Else Do It 
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2. Non-PCI Cloud Offerings 

> Use public cloud (SaaS, PaaS, laaS) 

> Cloud environment segmented from CDE 

> NO PANs in any cloud environment 

> Truncation / Hashing / Tokenisation 

> NO encrypted PANs! ... well maybe ... 
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© 2011 Cloud Security 
Alliance, Inc. 
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Common PAN Leakage 

> Excel spreadsheet on cloud systems 
□ Box, Dropbox, Google Documents 

> Application screenshots 

> Finance and HR documents with PANs 

> Other Office formats with PAN information 

> Text dumps from poorly-written/legacy applications 



©2011 Cloud Security 
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^ Dropbox 



U S 'E' 



|__ Terms of Service ^ Privacy Policy 



__ DMCA Policy 



$ Pricing Terms ____| Security Overvrew 



■ , Acceptable Use 



Security Overview 

We provide this overview so that you can better understand the security measures we've put in place to protect the information that you store using 
Dropbox. 

Secure Storage 

We encrypt the files that you store on Dropbox using the AE5-256 standard, which is the same encryption standard used by banks to secure custom* 

data. Encryption for storage Is applied after files are uploaded, and we manage the encryption keys. 

Dropbox uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade 
perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure. 

You can find more information about Amazon's security at the Amazon Web Services' website. 

Amazon and Dropbox also employ significant protection against network security issues such as Distributed Denial of Service (DDoS) attacks, Man in 

Middle fMfTM) attacks, and packet sniffing. 

Secure Transfers 

Your files are sent between Dropbox's desktop clients and our servers over a secure channel using 256-brt SSL (Secure Sockets Layer) encryption, the 



What Amazon Web Services product offerings support storage, proce 
transmission of credit card data? 

Services that support the processing, storage, and transmission of credit card data by a merch, 
provider have been validated as being compliant with PCI standards. These services include: 

Amazon Elastic Compute Cloud (EC2) 
Amazon Simple Storage Service (S3) 
Amazon Elastic Block Storage (EBS) 
Amazon Virtual Private Cloud (VPC) 
Amazon Relational Database Service (RDS) 
■ Amazon Elastic Load Balancing (ELB) 

Amazon Identity and Access Management (IAM) 

The underlying physical infrastructure and the AWS Management Environment 

What does this mean to me as a PCI merchant or service provider? 

Our PCI Service Provider status means that customers who use our services to store, process c 
cardholder data can rely on our PCI compliance validation for the technology infrastructure as tl" 
own compliance and certification, including PCI audits and responses to incidents. Our service p 
covers all requirements as defined by PCI DSS for physical infrastructure service providers. Movi 
cardholder environment to AWS can simplify your own PCI compliance by relying on our validate 
status. If your QSA currently needs additional supporting information, please contact us. 
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amazon 

Shop by 
Department^ 



YourAmazDn.com Todays Deals Gift Cards Help 
Search All ▼ 



FREE Two-Day Shi 



Hello. Sign in 
Your Account 



. \!ft 



/OA. 



Anything Digital, Securely Stored, Available Anywhere, amazon cloud drive 




5 GB of free online storage Unlimited access from any computer Never worry about losing your files again 
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cardnos.docx 

Created May 9. 2012 by You 12.7 KB 
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transactional .ARJ 

Created May 13. 2012 by You ■ 102.3 KB 












□ 


a p ri Itra nsactions.ta r 

Created May 13, 2012 by You 1 30.0 KB 










Hi 


autocardpay.exe 

Created May 13. 2012 by You - 2.6 MB 








31 




lfrjl*'i 


Card RfinnrillinTinns fnr Anril.rtf 













Collaboration for Any Business 



c plan 



storage 



store g e 
limit 

and co 



sb 



BOX.NET MAKES NO WARRANTIES. 

ami-HIHi|iiH^iH4M^ 



in no way liable for loss of customer data. Ur 



be held accountable for any loss of customer data By becoming a Box user you 



:he customer, acknowedoe that vou forfeit the noht to hold Box accountable for anvj 



?nd all technical errors including loss ot user files [customer data) 



In the event that Box concludes offering data storage services Box users will 
receive the option to have their stored files sent to them in CD or other format 
selected by Box. Box does not guarantee length of service 

Box intends for the information contained on its Site and Services to be accurate 
and reliable: however errors sometimes may occur In addition. Box may make 
changes and improvements to the information provided herein at any time., 
BOX NET PROVIDES ITS SITE AND SERVICES ^AS IS/ 'WITH ALL FAULTS^ 
AND "AS AVAILABLE." AND THE ENTIRE RISK AS TO SATISFACTORY QUALITY. 
PERFORMANCE. ACCURACY AND EFFORT IS WITH YOU TO THE MAXIMUM 
EXTErTr PERMITTED BY APPLICABLE LAW BOX.NET. ITS AFFILIATES, 
RESELLERS. DISTRIBUTORS, SERVICE PROVIDERS AND/OR SUPPLIERS 
(HACK A 'BOX.NET PARTY" AND COLLECTIVELY THE = BOX.NET PARTIES') 
MAKE NO REPRESENTATIONS. WARRANTIES OR CONDITIONS. EXPRESS OR 
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Go /gle 



Docs 

Create and share your work online 




Create, share, and collaborate on the web with 
documents, spreadsheets, presentations, and 
more. Create an account 



Try Docs now | Google Docs Blog | Templates | For Work and School 

m ii a i_i b 

Documents Spreadsheets Presentations Drawings Forms 



GoOglC cloud services 
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Build your business with Google's cloud services 
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2. Provision of the Service. 



2. 1 Console . Google will provide the Service to Customer. As part of receiving the Service. Customer will have access to the 
Admin Console, through which Customer may administer the Service. 



2.2 Facilities and Data Transfer . All facilities used to store and process an Application (including Customer Content) J 

jjwmiiiuui^^ 



ts own information of a: 



| Google has implemented at least industry standard systems and procedures to ensure the 
security and confidentiality of an Application and Customer Content, protect against anticipated threats or hazards to the 
security or integrity of an Application and Customer Content, and protect against unauthorized access to or use of an 
Application and Customer Content. Google may process and store an Application and Customer Content in the United States 
or any other country in which Google or its agents maintain facilities. By using the Sen/ice, Customer consents to this 
processing and storage of the Application and Customer Content. 



Google 






Search Google Checkout Merchant help 


< GOOgle Checkout Merchant Helphome Google Checkout overview 




Compliance with Payment Card Industry (PCI) standards 




Google Checkout 


Google has been certified as compliant with Level One of the Payment Card Industry (PCI} standards. 


* Related 


overview 

About Google Checkout 

How Google Checkout 
works for your business 


For more information, please visit VISA'S list of compliant sen-ice providers. 


Displaying badges 
Google Marketplaces j 

Charging tax 
Selling with Google Ch 
shopping cart 


The Google Wallet buyer 
experience 


ivf Tell us how we're doing - Answer five short questions about your help center expenence 


Partially charging or 
Selling with Checkout , 


Google Wallet 
acceptance logo 




Conversion tracking 
Selling wrth Checkout 


Compliance with 
Payment Card Industry 
(PCI) standards 
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Tools 3e. Resou 



rces 













Microsoft 


HOW MICROSOFT 
AODRESSES THE 
FOUR TOP CLOUD 
COMPUTING 
ISSUES 












When considering cloud computing solutions, organisations list security, privacy, reliability, and 
operational control as key issues. 

Microsoft addresses these issues through the coordinated and strategic application of people, 
processes, technologies, and experience. The result is continuous cloud security advances within 
the Microsoft cloud environment. This provides organisations with thefreedom to engage in an 
expansive portfolio of cloud solutions, where they can save money and refocus on their core 
competencies. 

TAGS: cloucL cloud technologies^ cloud computings security, Microsoft 
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Information Security Program 

Microsoft's online Information Security Program defines how 0£St operates. The program has been independently 
testified by British Standards Institute <BSI) Management Systems America as being compliant with 1S0/IEC 27001:^005. 
TO view the ISO/IEC 2 7001 : J CXtt certificate*. Set tti* Ct*rt LI Id *ittr/C lii^a it pirecloiv Search Results parte. 

The In Forma Mem ^ecuiity Program organizes security requirements into three top-tevel domains Administrative. 
Technical, and Physical, The criteria in these domains represent the basis horn which risk is managed: Starting with the 
safeguards and controls Identified in the domains and their subcategories, the Information Security Program follows the 
ISO/IE 1 17001: 2uGS framework of "Plan, Oo. Check. Act." 




i^PLAN 

Risk- based Decision Making 
Document Requirements 

^ j 




Imptement Appropriate Controls 
Operate Controls 






t 




i 






f ^ 
Validate Program Effectiveness 
Adjust to Remain Relevant 

A ACT 




f "^ 
Measure and Improve 

CHECKS 















Operational Compliance 

The Microsoft online services environment mu^t meet numerous government manclated and industry' Specific security 
require me nt^ in addition to Microsoft's own business driven specifications- As Microsoft online businesses continue to 
yiow and change and new online servicer die introduced mlo the Microvolt cloud, additional requirements are expected 
th.it could include regional /n u1 country specific data security standards- the Pper.ition.il C nm pl-i ,i nc e teani works across 
operation, product, and service delivery teams and with Internal and external auditors to ensure Microsoft is In 
compliance with relevant standards arid regulatory obligations, the following list presents an overview of some of the 
audits and assessments that the MICPDsuH duud environment undergoes on a regular basis: 



Payment Card Industry Dai* Security Standard - 
i el died to credit card transactions. 



Requires annua) review and validation of security controls 



* Media Ratings Council - delates to the integrity of advertising system data generation and processing, 

* Sarbanes-Dxley delected systems are audited annually to validate compliance with key processes related to 
financial reporting integrity. 

* Health Insurance Portability and Accountability Act Humifies privacy. Security, and disaster recovery 

.:u:ij'-liiir- ■ hn flc-c triuiif Moih^'^I IhmIIm rrrtuds. 

■ Internal audit and privacy assessments - Assessments occur throughout a given year. 

Meeting .ill these audit obligations became a considerable challenge at Microsoft. Upon study Lnfi the requirements. 
fvlkrosort determined that many ot the audits and assessments required evaluation ol the same operational controls 
and processes- Recognizing the significant opportunity to eliminate redundant efforts, streamline processes, *nd 
proactively manage compliance expectations in a more comprehensive manner. OSSC developed a comprehensive 
compliance framework. This framework and associated processes are haserf on a five step methodology represented hi 
the following illustration; 
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Microsoft Azure Cloud Security 

One of the successes of having implemented this program is that Microsoft's cloud infrastructure has achieved both SAS 
70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. This achievement demonstrates Microsoft's 
commitment to delivering a trustworthy cloud computing infrastructure because having: 

• The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized 
information security controls defined in this standard, and 



• The SAS 70 attestations illustrate Microsoft's willingness to open up internal security programs to outside 
scrutiny. 




PUBLIC 




Microsoft Azure Cloud Security 



Security and regulatory compliance 



As a sen/ice provider, Microsoft must comply with regulatory requirements of the governmental entities within whose 
jurisdictions Azure operates, along with industry regulations that cover many companies in specific fields. Microsoft's 
compliance framework is designed to address this challenge. The security for Microsoft's cloud infrastructure is 
managed by the Online Services Security and Compliance team, which maintains the security control framework and 
develops policies and programs for ensuring compliance and managing security risks. 



i he Microsoft cloud undergoes annual audits for PCI DSS, SOX and HIPM compliance, as well as interna 



assessments throughout the year. The Microsoft cloud has obtained ISO/IEC 27001 :2005 certification and SAS 70 Typ< 



1 and II attestations. 
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Racksoace's non-PCI offerinqs 



ffimckspace 



HOST ING 



Hosting Solutions T Cloud Hosting^ Managed Hosting^ Email &Apps T Company^ 






BasicCloud 



Load Balanced Cloud 



Basic Dedicated 



Hybrid wj 1 3rd Party Gateway 



1 



Basic Cloud Example 




WEB INSTANCE DATABASE INSTANCE 

CLOUD SERVER CLOUD SERVER 




FOR ILLUSTRAT I i/E 
PURPOSES OMLV 



CLOUD FILES 



Configuration Notes: 

•*/ Scalable cloud infrastructure and storage 

^ Rapid deployment 

^ Utility pay 

if Linux® or Windows® 

*/ Managed service level available for Cloud 

Servers™ 
^f Not ideal for sites with specific compliance 

needs 

Ready to See How We Can Help You? 
Start a live chat with a Sales Assistant, email js. 
or call us at 1-800-961-2888 



ADD SERVERS AS NEEDED 



3. Dedicated Machines 
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Rackspace Enhances Security with PCI Accreditation 



- J^ Tweet 



Date: August 13th, 2009 

LONDON - 13 August, 2009 - Rackspace© Hosting, the world's leader in hosting, today announces it is Payment 
Card Industry (PCI) Data Security Standard (DSS) compliant, meeting a comprehensive set of security requirements 
designed to protect cardholder information. 

PCI DSS certification as a Level 1 Service Provider reinforces Rackspace's ability to provide secure services to its 
customers, particularly in the E-Commerce sector, where the need to protect cardholder information is critical. 
Rackspace can now provide a more comprehensive set of products and services, which can help enable a 
customerto better meet their compliance requirements. The Rackspace PCI service is backed by Rackspace's 
Fanatical Support© which offers 24x7x365 support. 

The scope of Rackspace's PCI service provider accreditation covers the following: 

Physical security for 

UK and US data centres 

US and UK offices 

Network infrastructure (routers and switches) 

Employee access to network devices 



Rackspace's dedicated hardware 



Load Balanced Cloud 



Basic Dedicated 



VTrftialized 



Hybrid 



Basic Dedicated Example 



:rtlogic 



V NT 

LklT-ZEKJCT ^^^^" 



^^^^£1 



mjj 



* jf FOR rLLLiaTWATH/E 

v Symantec p -*«^ s ^ v 




Hybrid v/i 3rd Party Gateway 

Configuration Notes: 
^ Highly secure 

V Scalable dedicated infrastructure 

V High performance & reliability 

<f Managed security services available 
<i Fully redundant (HA) 

V Linux® or Windows® 

*f Highest levels of monitoring 

Ready to See How We Can Help Yo 
Start a live chat with a Sales Assistant, ema 
or call us at 1-800-961-2888 
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Dedicated Virtual Servers 



f& rackspace 



HOSTING 



Hosting Solutions^ Cloud Hosting^ Managed Hosting^ Email &Apps T Company^ 



Vi dualized Example 



FOR ILLUSTRATIVE 
ONLY 




Configuration Notes: 
1/ Highly secure 

*t High performance & reliability 

*f Highest levels of monitoring 

*f Scalable dedicated infrastructure 

1/ Maximum resource utilization with private 

cloud 
*f Scale VM resources & deploy quickly 
*t Managed security services available 
1/ Fully redundant (HA) 
</ Linux® or Windows® 

Ready to See How We Can Help You? 
Start a live chat with a Sales Assistant, email js, 
or call us at 1-800-961-2888 




T * Hi 

Achieving PCI DSS 
Compliance with 
Rackspace 





rackspace 



& 
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PCI Compliance Requirements 

REQUIREMENT 1.1 TO 1.1.1 



Formal Process for Approving and Testing all Network Connections and Change to the Network 
Configuration 

Overview 

Implement policies and processes for approving and testing all connections and changes to the network. The policy 

should list all network devices involved in the data flow. 

Responsibility 

Requirement can be achieved by incorporating the formal process into the customer security policy. Customers are 
responsible for implementing formal security controls, including a security policy and associated processes and 
procedures to adhere to the security policy. 



REQUIREMENT 1.1.2 



Current Network Diagram with All Connections to Cardholder Data, Including Wireless Networks 
Overview 

Network diagram and topology documents 

Responsibility 

Customer is responsible for mapping the data flow of card holder data across the network. Rackspace can provide 
network diagram upon request. 



REQUIREMENT 1.1.3 



Requirement for a Firewall at each Internet Connection and between DMZ 

Overview 

Minimise tha riclr nf maliriniic arract tn tha internal natmnrV Iw imnlamantinn a firewall at aarh intarnat rnnnartinn 



REQUIREMENT 1.1.3 



Requirement for a Firewall at each Internet Connection and between DMZ 

Overview 

Minimise the risk of malicious access to the internal network by implementing a firewall at each internet connection 
and between DMZ. This should include restricting inbound and outbound traffic to that which is necessary for the 
cardholder data environment, secure and sync up firewall and router configurations, prohibit internal addresses from 
being passed to the internet, allow only the necessary protocols, stateful packet inspection, implementing NAT, 
security of mobile devices connecting to cardholder environment. 

Responsibility 

Customer is responsible for incorporating this requirement as a standard as part of the customer security policy. 

Rackspace will configure the firewall for this requirement, upon request from the customer. 



REQUIREMENT 1.1.4 



Description of Groups, Roles and Responsibilities for Logical Management of Network Components 
Overview 

Clear assignment of groups, roles and responsibilities can be incorporated into the customer security policy 

Responsibility 

In a typical Rackspace PCI customer hosted environment, Rackspace manage the following devices: 
IDS 

Load Balancer 
Firewall (customer can make firewall access rule changes via the customer portal) 

Rackspace support team and selected customer personnel also have access to manage the following devices: 

Servers 

Any changes to the customer hosted environment should be initiated by the customer via phone or ticket. All changes 
to the customer environment should be recorded in a ticket by the Rackspace support team and by the customer. 
There may be occasions when Rackspace are required to make changes to the corporate infrastructure which may 
affect a customer hosted environment, however all changes are communicated prior to any changes being performed. 



PUBLIC -©2012 Bridge Point Communications 



Page 43 



Dr David Ross: Moving Credit Card Data into The Cloud 
David_Ross@bridgepoint.com.au 



4. Mixed Dedicated + Public Cloud 
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KU J* J» & 
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Dedicated Data + Public Cloud Web 

I |j_9 rackspace 

*^^ H osting Hosting Solutions^ Cloud Hosting T Managed Hosting^ Email & Apps T Company^ C 



c Cloud 



Load Balanced Cloud 



Basic Dedicated 



Virtuahzed Hybrid 



Hybrid with 3rd Party Gateway Example 



v Symantec 



GRAMS ARE 
TLLjUSTTRAT I VE 
PURPOSES OMLV 




Hybrid wj' 3rd Party Gateway 



Configuration Notes: 

*/ Improved security 

*/ External payment gateway 

^/ Managed security services available 

*f Scalable Cloud Server™ and Cloud Files" 

storage 
<f High performance & data isolation of 

dedicated backend 
^i Increased security & data isolation of 

dedicated backend 
^ Highest levels of monitoring 
*f Linux® or Windows® 

Ready to See How We Can Help You? 
Start a live chat with a Sales Assistant, email js, 
or call us at 1-800-961-2888 
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5. PCI-certified laaS (+ any others) 
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What Amazon Web Services product offerings support storage, proce 
transmission of credit card data? 

Services that support the processing, storage, and transmission of credit card data by a merch, 
provider have been validated as being compliant with PCI standards. These services include: 

Amazon Elastic Compute Cloud (EC2) 
Amazon Simple Storage Service (S3) 
Amazon Elastic Block Storage (EBS) 
Amazon Virtual Private Cloud (VPC) 
Amazon Relational Database Service (RDS) 
■ Amazon Elastic Load Balancing (ELB) 

Amazon Identity and Access Management (IAM) 

The underlying physical infrastructure and the AWS Management Environment 

What does this mean to me as a PCI merchant or service provider? 

Our PCI Service Provider status means that customers who use our services to store, process c 
cardholder data can rely on our PCI compliance validation for the technology infrastructure as tr 
own compliance and certification, including PCI audits and responses to incidents. Our service p 
covers all requirements as defined by PCI DSS for physical infrastructure service providers. Movi 
cardholder environment to AWS can simplify your own PCI compliance by relying on our validate 
status. If your QSA currently needs additional supporting information, please contact us. 
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Amazon's Private + Public (All PCI) 



Customer" s isolated 
y AWS resources 



.- Sub/ieAs 




Customer's 
Network 



Amazon 
Web Services 
Cloud 



Everything! 
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Trustwave Global Security Report 2011 (p. 12): 
'believed they purchased a "PCI compliant" system' 
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Where to go from here 

> Deciding What, When, & How to Move to the Cloud 

> Identify the asset you want to "vaporise" 

□ Data 

□ Applications/Functions/Processes 

> Evaluate the asset 

□ Evaluate the BUSINESS asset, not the IT asset 
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EATUPES PRICING ADQ-QNS FIND ADVISORS SUPPORT BLOG 



PRICING 



Feature updates, automatic backups, support and more - for free Get started now and signup for your free trial. 



ALL PRICING PLANS INCLUDE 

*f Free trial, pay nothing until you're ready 

<f No setup fees, upgrade fees or contracts 

y Unlimited users 

<f Unlimited customer support 

<f Access anywhere online 

4/ Automatic backups 

<f Pay by credit card 

4 Cancel online at anytime 



29 
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49 

S "T f WO PEfl MONTH 


S U *T AUD PEfl MONTH 


SMALL 


MEDIUM 


LARGE 


ideal for frmtanca^ and small 


Grant for most small and mod/urn 


Essential for huslne$ia$ that bank 


property investors 

• Send 5 invoices + Receive 5 


:,'_'!.'d J.IMJlJluSSe.'!. 


or transact {ft foreign currimcles 

■ Multi- currency 


• Unlimited invoicing 


invoices per month 


• Unlimited bank reconciliation 


• Unlimited invoicing 


• Reconcile 20 bank statement 
lines per month 




• Unlimited bank reconciliation 



I AUD w Includes GST. Choose vour pncmo plan once you've ended your trial and are ready to pay 



Security Cloud Security Alliance 

alliance 



SECURITY GUIDANCE 

FOR CRITICAL AREAS 

OF FOCUS IN CLOUD 

COMPUTING V3.0 
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cloud 
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MISSION STATEMENT 

To promote the use of best practices 
for providing security assurance within 
Cloud Computing, and provide 
education on the uses of Cloud 
Computing to help secure all other 
forms of computing. 



About the Cloud Security Alliance 

^ Global, not-for-profit organization 

Building best practices and a trusted cloud ecosystem 
_^ Comprehensive research and tools 

Certificate of Cloud Security Knowledge (CCSK) 

www.cloudsecurityalliance.org 



^Z^m mm secure 
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Evaluate the asset 



1 . How would we be harmed if the asset became widely public and widely 
distributed? 

2. How would we be harmed if an employee of our cloud provider accessed the 
asset? 

3. How would we be harmed if the process or function were manipulated by an 
outsider? 

4. How would we be harmed if the process or function failed to provide 
expected results? 

5. How would we be harmed if the information/data were unexpectedly 
changed? 

6. How would we be harmed if the asset were unavailable for a period of time? 



BRIDGE POINT 
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Choose cloud deployment model 

1. Public. 

2. Private, internal/on-premises. 

3. Private, external (including dedicated or shared infrastructure). 

4. Community; taking into account the hosting location, potential 
service provider, and identification of other community members. 

5. Hybrid. To effectively evaluate a potential hybrid deployment, 
you must have in mind at least a rough architecture of where 
components, functions, and data will reside. 
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Evaluate service models/providers 

> Focus on the degree of control you'll have at each SPI 
(SaaS, PaaS, laaS) tier to implement required risk management 

> Sketch the potential data flow between 

□ your organisation, 

□ the cloud service, 

□ and any customers/other nodes. 

> Before making a final decision it's essential to understand 
whether, and how, data can move in and out of the cloud. 



©2011 Cloud Security 
Alliance, Inc. 





Slide 101 



Stay Compliant 

Ongoing compliance with PCI DSS - tasks: 



JS2 





FREQUENCY 


Risk assessment, security awareness, key changes, penetration testing, 
review off-site backups, QSA assessment, etc 


Annual, (+ major changes) 


ASV and internal scans, wireless scans 


Quarterly 


File integrity checking 


Weekly 


Log and alerts review, other operational procedures 


Daily 
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While we are "in the cloud 



// 



. 



■■ 
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Here are some additional 
CSA/cloud security resources, 
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CSA GRC Stack 






Bringing it all together to peel back the 

layers of control ownership and address 

concerns for trusted Cloud adoption. 
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Cloud 
Audit 



Control 
Requirements 



Private, 
Community & 
Public Cloir 



Provider 
Assertions 
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CSA CloudAudit 
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Cloud 

Audit > Open standard and API to automate provider 

audit assertions 

> Change audit from data gathering to data analysis 

> Necessary to provide audit & assurance at the scale demanded by 
cloud providers 

> Uses Cloud Con trols Matrix as con trols namespace 

> Use to instrument cloud for continuous controls monitoring 
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CSA Cloud Controls Matrix 
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> Controls derived from guidance 

> Mapped to familiar frameworks: 
ISO 2700 1, COBIT, PCI, HIPAA 

> Rated as applicable to SaaS/PaaS/laaS 

> Customer vs Provider role 

> Help bridge the "cloud gap" 
for IT & IT auditors 
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https://cloudsecurityalliance.org/research/projects/cloud<ontrols-matrix-ccm/ 
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CSA Australia 

> Cloud Security Alliance, Australian Chapter. 

> Linkedln Group: 

httrv//\A/\A/\A/ linkprlin rnm/nrniinQ?nirl=3Qfifi794. 

L 111 IC&O 1 1 il e Account Type : B asic 



Home Profile Contacts Groups Jobs Inbox 



Companies News More 



o Cloud Security Alliance Australia Chapter 

security 
affiance 



Discussions Members Promotions Jobs Search Manage More.. 




Start a discussion or share something with the group.. 
Maximum length is 2CID -characters. 

Attach a link 



My Activity 
What's Happening - ■ ji^vj 



Show atl RSS dis< 
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Founding Directors - CSA-AU 


> Ben Chung (HP, NSW) 


> David Ross (BPC, QLD) 


> Gary Gardiner 


> Darren Skidmore (FIS, VIC) 


(Check Point, QLD) 


> Tim Smith (BPC, QLD) 


> Wipul Jayawickrama 


> Marcel Sorouni 


(Infoshield, QLD) 


(BUPA, NSW) 


> Richard Keirstead 


> Michael Trott (BPC, QLD) 


(Ernst & Young, VIC) 


> Chad Walker 


> Craig Lawson (HP, QLD) 


(Infoshield, QLD) 


> Simon O'Brien (BPC, QLD) 


> Marcus Wong (CBA, NSW) 


> Archie Reed (HP, NSW) 


> Jason Wood (CBA NSW) 
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Areas of Interest 



> Virtualisation Security; 

> Jurisdiction, Legal and Privacy issues as particular 
to Australian states and territories; 

> Identity Management; and 

> Standards, Compliance, and Audit. 
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CSA-AU meeting THU 12:35 Norfolk 
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Certificate of 

Cloud Security Knowledge 

Cloud computing is being aggressively adopted on a global basis as businesses seek to reduce 
costs and improve their agility. And one of the critical needs of the industry is to provide training 
and certification of professionals to assure that cloud computing is implemented responsibly, 
and with the appropriate security controls. 

The Cloud Security Alliance has developed a widely adopted catalogue of security best 
practices, the "Security Guidance for Critical Areas of Focus in Cloud Computing. V2.1". In 
addition, the European Network and Information Security Agency (ENISA) whitepaper "Cloud 
Computing. Benefits. Risks and Recommendations for Information Security" is an important 
contribution to the cloud security body of knowledge. 

The Certificate of Cloud Security Knowledge (CCSK) provides evidence that an individual has 
successfully completed an examination covering the key concepts of the CSA guidance and 
ENISA whitepaper. 

Examination Fee 

The CCSK examination costs US3295. This entitles you to attempt the test up to two times. If 
necessary, additional test attempts can be purchased for US&295 each 
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Security Guidance 

for 

Critical Areas of Focus 



in 



Cloud Computing V2.1 
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Did I mention... ? 



> http://www.linkedin.com/qroups?qid=3966724 



> https://chapters.cloudsecuritvalliance.org/australia/ 
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